Everything's on fire. Here's how we're trying put it out.
The past few years have seen a huge rise in the number of attacks both active and passive, against organisations big and small. Attacks against organisations happen for a multitude of reasons: extortion via "ransomware", exfiltration of commercial secrets, or just "the lulz". While this can be crippling to a commercial business, it can potentially be devastating to an NGO, especially those which work to hold powerful institutions to account. The types of information held by such NGOs could potentially lead to arrests, kidnappings, or even deaths, if it were to be released.
Even specialist security and surveillance companies struggle: the now infamous attack on Hacking Team, the Italian surveillance company, used a zero-day against an embedded device inside their network over which they had little control. This embedded device was then used as a pivot to move around inside their network, and unencrypted backups of credentials then allowed the attacker to find passwords to key services, at which point it was Game Over. Over 400GB was taken out of the organisation's network over a period of approximately 23 hours (via their network security staff's computer, no less!) without anyone noticing.
Though NGOs are particularly at risk, fixing the problem is even harder for them. Tech knowledge is expensive, not easy to find, and until recently was not considered in funding models. Defense and day-to-day management requires multi-disciplinary teams, which can increase costs exponentially. We have seen some initiatives to address this in recent years; but we are concerned that they are unsustainable in the long run, and these initiatives generally involve parachuting in, running training sessions, implementing a bunch of things (generally tools), and then going away again. There is little in the way of true long-term capacity building for the full organisation. It is all too easy for bad practices to slip back as time goes on - especially if the organisation is short on staff, time, and resources.
This is a huge concern for us at Privacy International, not only for ourselves and our wider network of partners across the globe, but also for the wider health of civil society organisations everywhere.
The common answer has been "Use Signal, Use Tor", as though the usage of certain tools is a panacea which will solve all ills at an organisation. It doesn't matter how secure the endpoints are (or aren't) if the organisation's infrastructure itself is insecure. It also doesn't address problems of ransomware or a hack spreading through an organisation at will.
In an age of Bring Your Own Devices and Internet of Things (lovingly dubbed the Internet of Shit) where control is removed from the organisation, the problems are exacerbated. When was the last time people at your organisation updated their laptop? When was the last time your organisation updated the printer? Is there even an update available for $fancyGadget you bought from Amazon?
Of course, we can't put all of the blame squarely on the shoulders of users; indeed, many people have been trained to be wary of updates due to function creep and vast changes being rolled together with important security updates. One example of such function creep goes back to the example of printers – were a company to update the firmware on their printer, in addition to various bug fixes, it is possible they would also suddenly become locked into only being able to use "Genuine" cartridges rather than the generics they currently use (at literally less than 1/10th of the price). On mobile phones, an app update often comes with permission creep and no explanation of why your calculator suddenly needs the ability to make phone calls and read your contacts list. If you do the "right" thing and patch your router against remote root and code execution exploits, you could also be opening yourself up to data collection by the manufacturer. The list goes on.
So how can we approach the technical security of an organisation with incredibly limited resources (other than pushing the blame and responsibility down onto the end user) in a way which is scalable, low cost, low knowledge, and sustainable?
That is why we have been developing a framework we call Thornsec.
This was bourne out of a real-world requirement for us as an organisation; with limited staff and a need to be as secure as possible, it is unsustainable for us to have a full-time employee whose only job is to do sysadmin work, and rolling patching of our infrastructure. For starters, this stuff is quite hard to do in-house, and requires a multi-disciplinary approach. Secondly, what happens if this employee leaves, or becomes ill, or (heaven forbid!) goes on holiday?
Thornsec abstracts the complexities of networking models, firewalling, segregation, DNS, service management, virtualisation, updates, at-rest encryption, rolling incremental backups, ability to build and tear down services, and more importantly to audit the state of your network, from a simple GUI interface.
We have been dogfooding this since day zero, and we run this across our internal and external infrastructure. It's now at a stage where we can start to unveil it to a wider audience for their feedback, advice, and use.
This will not prevent all attacks and we certainly aren't saying 'use this and you'll be secure because we use military-grade encryption'. Rather, we want true tech to be easier for NGOs, and if we can do so in a way that makes it harder to successfully attack them, then we will have raised the bar. And we are looking for guidance and thoughts on how this can be made better, stronger, and more stable.